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QUESTION 61 

What feature on the Cisco ASA is used to check for the presence of an up-to-date antivirus vendor 
on an AnyConnect client? 

A. Dynamic Access Policies with no additional options 

B. Dynamic Access Policies with Host Scan enabled 

C. advanced endpoint assessment 

D. LDAP attribute maps obtained from Antivirus vendor 

Answer: B 
QUESTION 62 

What type of attack consists of injecting traffic that is marked with the DSCP value of EF into the 
network? 

A. brute-force attack 

B. QoS marking attack 

C. DHCP starvation attack 

D. SYN flood attack 

Answer: B 
QUESTION 63 

Which statement is true regarding Cisco ASA operations using software versions 8.3 and later? 

A. The global access list is matched first before the interface access lists. 

B. Both the interface and global access lists can be applied in the input or output direction. 

C. When creating an access list entry using the Cisco ASDM Add Access Rule window, choosing 
"global" as the interface will apply the access list entry globally. 

D. NAT control is enabled by default. 

E. The static CLI command is used to configure static NAT translation rules. 
Answer: A 

QUESTION 64 

Which three multicast features are supported on the Cisco ASA? (Choose three.) 

A. PIM sparse mode? 

B. IGMP forwarding? 

C. Auto-RP 

D. NAT of multicast traffic? 
Answer: ABD 
QUESTION 65 

Which three configuration tasks are required for VPN clustering of AnyConnect clients that are 
connecting to an FQDN on the Cisco ASA?? (Choose three.) 

A. The redirect-fqdn command must be entered under the vpn load-balancing sub-configuration. 

B. Each ASA in the VPN cluster must be able to resolve the IP of all DNS hostnames that are used 
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in the cluster?. 

C. The identification and CA certificates for the master FQDN hostname must be imported into each 
VPN cluster-member device?. 

D. The remote-access IP pools must be configured the same on each VPN cluster-member interface. 

Answer: ABC 
QUESTION 66 

Which three statements are true about objects and object groups on a Cisco ASA appliance that is 
running Software Version 8.4 or later? (Choose three.) 

A. TCP, UDP, ICMP, and ICMPv6 are supported service object protocol types. 

B. IPv6 object nesting is supported. 

C. Network objects support IPv4 and IPv6 addresses. 

D. Objects are not supported in transparent mode. 

E. Objects are supported in single- and multiple-context firewall modes. 

Answer: ACE 
QUESTION 67 

Which command is used to replicate HTTP connections from the Active to the Standby Cisco ASA 
appliance in failover? 

A. monitor-interface http 

B. failover link fover replicate http 

C. failover replication http 

D. interface fover replicate http standby 

E. No command is needed, as this is the default behavior. 

Answer: C 
QUESTION 68 

policy-map type inspect ipv6 IPv6-map 
match header routing-type range 0 255 
drop 

class-map outside-class 
match any 

policy-map outside-policy 
class outside-class 
inspect ipv6 IPv6-map 

service-policy outside-policy interface outside 
Refer to the exhibit. 
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Connection Entry: (Test ASA 



Description: P 



CISCO 



Host:|l0.1.1.1 



Authentication | Transport | Backup Servers | Dial-Up | 

(* Group Authentication C Mutual Group Authentication 

Name: [tesij 
Password: 
Confirm Password: 





Certificate Authentication 
Name: | 

|~~ Send CA Certificate Chain 



Erase User Password 



Save 



Cancel 



Given the Cisco ASA configuration above, which commands need to be added in order for the 
Cisco ASA appliance to deny all IPv6 packets with more than three extension headers? 

A. policy-map type inspect ipv6 IPv6-map 
match ipv6 header 

count > 3 

B. policy-map outside-policy 
class outside-class 

inspect ipv6 header count gt 3 

C. class-map outside-class 

match ipv6 header count greater 3 

D. policy-map type inspect ipv6 IPv6-map 
match header count gt 3 

drop 

Answer: D 
QUESTION 69 

Which C3PL configuration component is used to tune the inspection timers such as setting the tcp 
idle-time and tcp synwait-time on the Cisco ZBFW? 

A. class-map type inspect 

B. parameter-map type inspect 

C. service-policy type inspect 

D. policy-map type inspect tcp 
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E. inspect-map type tcp 
Answer: B 
QUESTION 70 

Which three NAT types support bidirectional traffic initiation? (Choose three.) 

A. static NAT 

B. NAT exemption 

C. policy NAT with nat/global 

D. static PAT 

E. identity NAT 

Answer: ABD 
QUESTION 71 

Which IPS module can be installed on the Cisco ASA 5520 appliance? 

A. IPS-AIM 

B. AIP-SSM 

C. AIP-SSC 

D. NME-IPS-K9 

E. IDSM-2 

Answer: B 
QUESTION 72 

Which two options best describe the authorization process as it relates to network access? 
(Choose two.) 

A. the process of identifying the validity of a certificate, and validating specific fields in the certificate 
against an identity store 

B. the process of providing network access to the end user 

C. applying enforcement controls, such as downloadable ACLs and VLAN assignment, to the network 
access session of a user 

D. the process of validating the provided credentials 

Answer: BC 
QUESTION 73 

If ISE is not Layer 2 adjacent to the Wireless LAN Controller, which two options should be 
configured on the Wireless LAN Controller to profile wireless endpoints accurately? (Choose two.) 

A. Configure the Call Station ID Type to be: "IP Address". 

B. Configure the Call Station ID Type to be: "System MAC Address". 

C. Configure the Call Station ID Type to be: "MAC and IP Address". 

D. Enable DHCP Proxy. 

E. Disable DHCP Proxy. 

Answer: BE 
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QUESTION 74 

Refer to the exhibit. To configure the Cisco ASA, what should you enter in the Name field, under 
the Group Authentication option for the IPSec VPN client? 

£ VPN Client [ Properties for Test ASA" 



Connection Entry: [Test ASA 



Description: |~ 



Host:|l0.1.1.1 



CISCO 



Authentication J Transport j Backup Servers j Dial-Up | 

Group Authentication C Mutual Group Authentication 

ftes| 




Certificate Authentication 
Name: | 

| Send CA Certificate Chain 



Erase User Password 



Save 



Cancel 



A. group policy name 

B. crypto map name 

C. isakmp policy name 

D. crypto ipsec transform-set name 

E. tunnel group name 

Answer: E 



QUESTION 75 

Refer to the exhibit. On R1 , encrypt counters are incrementing. On R2, packets are decrypted, but 
the encrypt counter is not being incremented. What is the most likely cause of this issue? 
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FlJ rlKv crypto engine Munition actl^ 



ID Intesfiie 



1 <T}o-m> <noiw> 

2000 ra»tEth*en«il)/l 172. 16. 1.10 
10 01 FaitEth«En«tO/l 173. 14.1.10 



IK 



EKAjC_SiUH-3DE.S_5 S_C 

i«i : *3DES_5 6 C 
HHAjC MDS+3DIS , 




: FastechDEJiatO/0 1^2. 14.1.20 
Z000 FU^SatlKtO/O 1T2.1S, 1.25 
2001 F»itEth«n«t0/0 1T2.14.1.20 



Algoiittm 

HKAJC_SHA.+3[1ES_5 S_C 
HMACJflS *3DES_5 6_C 
HHAjC MDS+3DES SS C 



Encrypt Decrypt 



A. a routing problem on R1 

B. a routing problem on R2 

C. incomplete IPsec SA establishment 

D. crypto engine failure on R2 

E. IPsec rekeying is occurring 

Answer: B 



QUESTION 76 

Which two methods are used for forwarding traffic to the Cisco ScanSafe Web Security service? 
(Choose two.) 

A. Cisco AnyConnect VPN Client with Web Security and ScanSafe subscription 

B. Cisco ISR G2 Router with SECK9 and ScanSafe subscription 

C. Cisco ASA adaptive security appliance using DNAT policies to forward traffic to ScanSafe subscription servers 

D. Cisco Web Security Appliance with ScanSafe subscription 



Answer: BC 



QUESTION 77 

Which four statements about SeND for IPv6 are correct? (Choose four.) 



A. It protects against rogue RAs. 

B. NDP exchanges are protected by IPsec SAs and provide for anti-replay. 

C. It defines secure extensions for NDP. 

D. It authorizes routers to advertise certain prefixes. 

E. It provides a method for secure default router election on hosts. 

F. Neighbor identity protection is provided by Cryptographically Generated Addresses that are derived 
from a Diffie-Hellman key exchange. 

G. It is facilitated by the Certification Path Request and Certification Path Response ND messages. 



Answer: ACDE 



QUESTION 78 

What is the recommended network MACSec policy mode for high security deployments? 



A. should-secure 
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B. must-not-secure 

C. must-secure 

D. monitor-only 

E. high-impact 

Answer: A 
QUESTION 79 

Which three statements about NetFlow version 9 are correct? (Choose three.) 

A. It is backward-compatible with versions 8 and 5. 

B. Version 9 is dependent on the underlying transport; only UDP is supported. 

C. A version 9 export packet consists of a packet header and flow sets. 

D. Generating and maintaining valid template flow sets requires additional processing. 

E. NetFlow version 9 does not access the NetFlow cache entry directly. 

Answer: CDE 
QUESTION 80 

Which three statements about VXLANs are true? (Choose three.) 

A. It requires that IP protocol 8472 be opened to allow traffic through a firewall. 

B. Layer 2 frames are encapsulated in IP, using a VXLAN ID to identify the source VM. 

C. A VXLAN gateway maps VXLAN IDs to VLAN IDs. 

D. IGMP join messages are sent by new VMs to determine the VXLAN multicast IP. 

E. A VXLAN ID is a 32-bit value. 

Answer: BCD 
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